vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Requests/Questions (Unpaid) (https://vborg.vbsupport.ru/forumdisplay.php?f=112)
-   -   Ip verify when login (https://vborg.vbsupport.ru/showthread.php?t=81454)

Skyline_GT 05-14-2005 01:12 AM
Ip verify when login
 
I wonder is it possible to do this? When they login, it will verify to the ip that they used when they register? I think this is a good security feature.

KTBleeding 05-14-2005 01:24 AM
Not THAT bad of an idea, but that means they won't be able to login from a school / work / other computer.

Tekton 05-14-2005 03:20 AM
Wouldn't be too hard, but I would strongly recommend against it. (see what KTB said).

You'd have to store the IP at registration; you could make a new field for that in the user table and then just go into the (functions_register?) and add it in for the address. $_SERVER['REMOTE_ADDR'] is what you need for their IP I think.

functions_login.php is the file you will have to match their IP to the IP stored in the user field.

Skyline_GT 05-14-2005 03:29 AM
I think there should be an option when they register or they can active or deactive the option in their user cp.

Can you post a more detail instruction please?
THanks.

Tekton 05-14-2005 04:01 AM
Quote:
Originally Posted by Skyline_GT
I think there should be an option when they register or they can active or deactive the option in their user cp.

Can you post a more detail instruction please?
THanks.
Well, I'm not going to go through the usercp option right now, but assuming you stored the IP address in a user table field, named "reg_ip" or something.

in includes/functions_login.php, find:
PHP Code:
if ($bbuserinfo $DB_site->query_first("SELECT userid, usergroupid, membergroupids, username, password, salt FROM " TABLE_PREFIX "user WHERE username = '" addslashes(htmlspecialchars_uni($username)) . "'"))
{
if ($bbuserinfo['password'] != iif($password AND !$md5passwordmd5(md5($password) . $bbuserinfo['salt']), '') AND$bbuserinfo['password'] != md5($md5password $bbuserinfo['salt']) AND $bbuserinfo['password'] != iif($md5password_utfmd5($md5password_utf $bbuserinfo['salt']), '')
){return false;} 
and CHANGE TO:
PHP Code:
if ($bbuserinfo $DB_site->query_first("SELECT userid, usergroupid, membergroupids, username, password, salt, rep_ip FROM " TABLE_PREFIX "user WHERE username = '" addslashes(htmlspecialchars_uni($username)) . "'"))
{
if ($bbuserinfo['password'] != iif($password AND !$md5passwordmd5(md5($password) . $bbuserinfo['salt']), '') AND $bbuserinfo['password'] != md5($md5password $bbuserinfo['salt']) AND $bbuserinfo['password'] != iif($md5password_utfmd5($md5password_utf $bbuserinfo['salt']), '')
){return false;}
if ($bbuserinfo['reg_ip]!=$_SERVER['REMOTE_ADDR']){return false;} 
I'm pretty sure that'd do the right thing. But you'd need to add a condition to check if that field was blank, etc and not run that condition to prevent lock-out. Do you know how to add the code you need to the registration php?

Skyline_GT 05-14-2005 06:18 AM
please list it ..
THanks..

BTW: is it poissble that it only applies to a certain usergroup? I think based on usergroup is better for me.

Marco van Herwaarden 05-14-2005 08:54 AM
First of all, the registration IP is already stored in the user table. That is out of the box behaviour for vB.

About checking this: very bad idea, don't do it!!!
What about people on dynamic IP's?

Tekton 05-14-2005 02:49 PM
oh, I didn't know it stored it already. One less thing to do, I guess~

aloha 05-15-2005 12:11 AM
AOL has that security feature key, could this be implemented INSTEAD of the IP verification? So that we can use this passcode key to login? That would own. :devious: I used to work for them in the customer service department and this would be how we logged in from our homes and so forth... I've never had any of my accounts compromised in any shape or form. It's now a premium feature on AOL for those that want an extra layer of security on their account.

I believe its ran by RSA Security.

angelicGrace 05-15-2005 12:15 AM
Sounds great, but you ay have members that have an isp like mine that rotates their ip addy. mine has been known to change has many as 15 times in one day. It could cause you more problems than it is worth.

Zachery 05-15-2005 12:24 AM
Quote:
Originally Posted by aloha
AOL has that security feature key, could this be implemented INSTEAD of the IP verification? So that we can use this passcode key to login? That would own. :devious: I used to work for them in the customer service department and this would be how we logged in from our homes and so forth... I've never had any of my accounts compromised in any shape or form. It's now a premium feature on AOL for those that want an extra layer of security on their account.

I believe its ran by RSA Security.
So a second password?

aloha 05-15-2005 12:34 AM
Yes basically. But there is a big difference with a 'second password' and this feature that I'm talking about... What happens is that this passkey generates a new password for you every 15 - 30 seconds. You wear this passkey on your keychain or whatever, if you lose it you can easily call them to reset it, but I don't lose my keys so I never have a problem with that. I think this would be an excellent second layer of protection for superadmins and those with query permissions.

You log in with your current password, + the new generated passcode key in order to be able to access the account. Otherwise your locked out until you call in and have them reset it.

I'd love that as a vb extra.

Zachery 05-15-2005 12:48 AM
Quote:
Originally Posted by aloha
Yes basically. But there is a big difference with a 'second password' and this feature that I'm talking about... What happens is that this passkey generates a new password for you every 15 - 30 seconds. You wear this passkey on your keychain or whatever, if you lose it you can easily call them to reset it, but I don't lose my keys so I never have a problem with that. I think this would be an excellent second layer of protection for superadmins and those with query permissions.

You log in with your current password, + the new generated passcode key in order to be able to access the account. Otherwise your locked out until you call in and have them reset it.

I'd love that as a vb extra.
I still don't get it....

Skyline_GT 05-16-2005 07:01 AM
Yea. any way to increase the security would be great..

Zachery 05-16-2005 02:28 PM
Quote:
Originally Posted by Skyline_GT
Yea. any way to increase the security would be great..
then add 8 more passwords and email verifcation everytime someone logs in, ontop of that, only let them login if the mac address matches.

Paul M 05-16-2005 02:37 PM
Quote:
Originally Posted by Zachery
then add 8 more passwords and email verifcation everytime someone logs in, ontop of that, only let them login if the mac address matches.
Sounds like someone is being silly. IP verification can be useful IF you have a static ip (like on a corporate network). I would guess not all vb installations are public ......

Zachery 05-16-2005 02:39 PM
I understand that, the point im trying to make is, vB already provides alot of security as it is.

Unless you have an easy to guess password, even the administrator can't find out what it is (without hacking, assuming they have left the current system in place).

Adding another password, ect, is worthless, because then its just a matter of finding out another peice of data.

If you need more security, it gets harder after requring a password and a username.. esp online

jugo 05-16-2005 03:24 PM
I totally agree with Zachery.

I thnk that if people spent a little more time creating hard to crack password , they may not have as much problems with people cracking their accounts.

And forum admins would have more time to improve the boards.

I think if you want your system to be that much more secure, stick it behind a VPN and create VPN tunnels for your users.


All times are GMT. The time now is 03:06 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01259 seconds
  • Memory Usage 1,772KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (18)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete